ign with multiple keys: import three keys at once

igorpecovnik · igorpecovnik · commit 7786c07e0b91 · 2025-06-22T21:21:32.000+02:00
diff --git a/.github/workflows/pack-debian.yml b/.github/workflows/pack-debian.yml
@@ -36,18 +36,32 @@ on:
         type: string
 
     secrets:
-      GPG_PRIVATE_KEY:
-        required: true
-      PASSPHRASE:
-        required: true
-      SSH_KEY_TORRENTS:
+      PRIMARY_KEY:
+        required: false
+      PRIMARY_PASS:
+        required: false
+      SECONDARY_KEY:
+        required: false
+      SECONDARY_PASS:
+        required: false
+      TERTIARY_KEY:
         required: false
-      KNOWN_HOSTS_UPLOAD:
+      TERTIARY_PASS:
         required: false
 
+env:
+  PRIMARY_KEY: ${{ secrets.PRIMARY_KEY }}
+  PRIMARY_PASS: ${{ secrets.PRIMARY_PASS }}
+  SECONDARY_KEY: ${{ secrets.SECONDARY_KEY }}
+  SECONDARY_PASS: ${{ secrets.SECONDARY_PASS }}
+  TERTIARY_KEY: ${{ secrets.TERTIARY_KEY }}
+  TERTIARY_PASS: ${{ secrets.TERTIARY_PASS }}
+
 jobs:
 
   prepare:
+    name: Prepare releases
+    if: ${{ github.repository_owner == 'Armbian' }}
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.prep.outputs.matrix }}
@@ -178,23 +192,65 @@ jobs:
           path: repository
           ref: repository
 
-      - name: Import GPG key
-        id: import_gpg
+      - name: Import PRIMARY GPG key
+        id: import_gpg_primary
+        if: env.PRIMARY_KEY != ''
         uses: crazy-max/ghaction-import-gpg@v6
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+          gpg_private_key: ${{ secrets.PRIMARY_KEY }}
+          passphrase: ${{ secrets.PRIMARY_PASS || '' }}
+
+      - name: Import SECONDARY GPG key
+        id: import_gpg_secondary
+        if: env.SECONDARY_KEY != ''
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.SECONDARY_KEY }}
+          passphrase: ${{ secrets.SECONDARY_PASS || '' }}
+
+      - name: Import TERTIARY GPG key
+        id: import_gpg_tertiary
+        if: env.TERTIARY_KEY != ''
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.TERTIARY_KEY }}
+          passphrase: ${{ secrets.TERTIARY_PASS || '' }}
+
+      - name: Generate GPG_PARAMETERS array
+        id: build_gpg_parameters
+        env:
+          FPR_PRIMARY: ${{ steps.import_gpg_primary.outputs.fingerprint }}
+          FPR_SECONDARY: ${{ steps.import_gpg_secondary.outputs.fingerprint }}
+          FPR_TERTIARY: ${{ steps.import_gpg_tertiary.outputs.fingerprint }}
+        run: |
+
+          GPG_PARAMETERS=" --yes --armor"        
+          if [ -n "${{ env.FPR_PRIMARY }}" ]; then
+            GPG_PARAMETERS+=" -u ${{ env.FPR_PRIMARY }}"
+          fi        
+          if [ -n "${{ env.FPR_SECONDARY }}" ]; then
+            GPG_PARAMETERS+=" -u ${{ env.FPR_SECONDARY }}"
+          fi        
+          if [ -n "${{ env.FPR_TERTIARY}}" ]; then
+            GPG_PARAMETERS+=" -u ${{ env.FPR_TERTIARY}}"
+          fi
+          echo "GPG_PARAMETERS=$GPG_PARAMETERS" >> $GITHUB_ENV
+
+      - name: Display GPG_PARAMETERS
+        run: |
+          echo "<pre>GPG_PARAMETERS: ${{ env.GPG_PARAMETERS }}</pre>" >> $GITHUB_STEP_SUMMARY
 
       - name: Configure git identity
         working-directory: repository
+        env:
+          GPG_TTY: ${{ env.GPG_TTY || '/dev/tty' }}
         run: |
 
-          echo "Testing signing" | gpg --sign --armor
-
-          gpg -K
-          echo "#"
-          git config user.name github-actions
-          git config user.email github-actions@github.com
+          #echo "Available GPG keys:" >> $GITHUB_STEP_SUMMARY
+          #gpg --list-secret-keys --keyid-format LONG >> $GITHUB_STEP_SUMMARY
+          #cho "data" | gpg --armor --batch --yes --local-user DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 --sign # need password
+          # echo "data" | gpg --armor --batch --yes --local-user B4A41B81566CC20009232FE45CD410F6B3CBB6BB --sign # need password
+          #cho "data" | gpg --armor --batch --yes --local-user 8CFA83D13EB2181EEF5843E41EB30FAF236099FE --sign
 
       - name: Deploy packages
         run: |
@@ -214,7 +270,6 @@ jobs:
           Architectures: amd64 arm64 armhf riscv64
           Components: main
           Description: Armbian development repo
-          SignWith: DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
           EOD
 
           # Determine a list of binary debs to include in the repo
@@ -242,7 +297,24 @@ jobs:
           echo "Repository generated at ${REPO_DIR}/"
           fi
 
+          echo "Sign repo"
+          GPG_PARAMETERS=(
+            "--yes"
+            "--armor"
+            "-u" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" # Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>
+            "-u" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE" # Armbian Repository Signing Key (Repository Key) <info@armbian.com>
+          )
+          for i in ${REPO_DIR}/dists/*/Release
+          do
+            DISTRO_PATH="$(dirname "$i")"
+            echo $DISTRO_PATH
+            gpg "${{ env.GPG_PARAMETERS }}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
+            gpg "${{ env.GPG_PARAMETERS }}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
+          done
+
           cd ${REPO_DIR}
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
           git add .
           git commit -m "Updating repo" || true
           git push origin repository || true
